Need

Protection of sensitive business information in AWS

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of terraform-provider-aws for managing AWS resources using Terraform

Description

Non compliant code

        provider "aws" {
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  region     = "us-west-2"
}
        
        

The above Terraform script contains a serious security vulnerability. The AWS access_key and secret_key are hard-coded in plain text directly in the script. This is a major risk as it exposes these sensitive credentials to anyone who has access to the source code.

These credentials are essentially the keys to the AWS kingdom. They can be used to access and control AWS resources, potentially leading to unauthorized access, data leaks, and other security incidents.

Moreover, if the source code is version controlled using a system like Git and is accidentally pushed to a public repository, these credentials could be exposed to the outside world. This could lead to disastrous consequences, including data breaches and substantial financial costs.

Therefore, it is highly recommended to never hard-code sensitive credentials directly in the source code. Instead, use secure methods of managing secrets, such as environment variables or AWS Secrets Manager.

Steps

• Remove the AWS access key and secret key from the source code.
• Store the AWS credentials securely, such as using AWS Secrets Manager or environment variables.
• Implement proper access controls to restrict access to the AWS credentials.
• Regularly rotate the AWS credentials to minimize the risk of exposure.
• Monitor and log access to the AWS credentials to detect any unauthorized access attempts.

Compliant code

        provider "aws" {
  region = "us-west-2"
}
        
        

The AWS provider block has been modified to remove the hardcoded AWS access key and secret key. This is a critical change to prevent the exposure of these sensitive credentials which could lead to unauthorized access and potential data breaches.

The AWS credentials (access key and secret key) should not be hardcoded in the Terraform scripts or any source code. Instead, they should be securely stored and accessed through secure means such as AWS Secrets Manager or environment variables.

In addition, proper access controls should be implemented to restrict who can access these AWS credentials. This could include IAM policies, security groups, and network access control lists (NACLs).

It is also recommended to regularly rotate these AWS credentials. This means generating a new set of AWS credentials and replacing the old ones. This can help to minimize the risk of exposure if the credentials are somehow compromised.

Finally, monitoring and logging access to these AWS credentials can help to detect any unauthorized access attempts. This could include CloudTrail logs, CloudWatch alarms, and third-party security tools.

By following these best practices, you can help to secure your AWS resources and protect your business information.

References

• 224. Business information leak - AWS